NIST Cybersecurity Framework: Mandating what you should “Know”?

In case you haven’t seen it yet, Presidential Executive Order 13636 directs the U.S. National Institute of Standards and Technology (NIST) to “work with stakeholders to develop a voluntary framework for reducing cyber risks to critical infrastructure. The Framework will consist of standards, guidelines, and best practices to promote the protection of critical infrastructure.”

NIST is collecting public and industry input and feedback on their drafts of the Framework both via email and through a series of workshops. I attended Workshop #3 earlier this month, along with roughly 400 other industry and association representatives. The workshop was 2.5 very full days of feedback on their initial strawman. I’m not sure actual consensus was reached on most points, but there were some noticeable trends in the feedback that NIST carried back with them. What was just as interesting, though, was the policy battle playing out alongside the technical discussions.

I and other Intel and McAfee representatives attended various working sessions, and between us we got a good cross-section of the industry feedback on the strawman framework (the “Core”) itself. NIST proposed in the strawman Core a largely hierarchical approach, starting with some top level concepts and adding detail at each lower level, organized in a matrix. At the top are five “Functions:” Know, Prevent, Detect, Respond, and Recover. Except for the “Know” function, this describes a pretty common security model, even if the labels differ from place to place. Beneath each Function are “Categories,” breaking out into more detail what kinds of things might be done as part of that Function.

Attendees were intrigued by the Know function, as it could add a valuable piece to existing prevent-detect-respond-recover models. But it was unclear how Know would actually be defined as it involved an unpopular second matrix, relating to an organization’s management. Along with the Functions, the strawman included “Roles,” which were defined as Senior Executives, Business Process Managers, and Operational Managers. The second matrix lists each Role and the corresponding expectations for each Function. The idea is that the second matrix would describe generally what is expected of people in that role for that function. For example, under Know, the Senior Executives should know the risk posture and risk tolerance of the organization, the Business Process Managers should know the organization’s risk landscape, controls framework and gaps, and the Operational Managers (essentially, the implementers) should know the latest risk assessments, controls designs, and operational metrics. Below that top level, Framework Implementation Levels (FILs) describe in greater detail how that understanding might be actually implemented in the organization. (The matrix is in fact almost as confusing as this explanation.)

This is where some of the policy issues became apparent. There is a widespread and firm belief among many stakeholders that this Framework will become the basis of cybersecurity regulation at some point, despite it being described as “voluntary” in the Executive Order. If that regulation comes to pass, then the Roles could be interpreted in regulation as requiring certain people in your company to absolutely know certain things to a defined level, and probably attest to that in some way, like through an audit or SEC statement. Not knowing those things could lead to any number of sanctions, obviously none of which are defined at this point, and therefore could be very scary. Understandably there was significant push-back on the Roles idea, which in turn seemed to gut the Know function and so take all the value out of it. To counter that, there were a number of suggestions from the attendees, ranging from changing the labels to re-designing the matrixes to scraping the whole idea, with compelling arguments for each. And it seemed that every attempt by NIST to find a consensus just led to more suggestions.

NIST promised a fully revised draft Framework by the end of August. While I have not agreed with everything they’ve done, I am impressed with what they’ve created from the wildly divergent inputs they have received so far. I’m looking forward to seeing the draft, and what becomes of the Roles and FILs pieces.